Former Yahoo CEO: Stronger Defense Couldn't Stop Breaches

Former Yahoo CEO Marissa Mayer testifies before a Senate panel on Wednesday.

The former CEO of Yahoo, which had 3 billion records exposed in a 2013 data breach and another 500,000 in a separate 2014 breach,
testified at a Senate hearing that it's tough for any corporation to defend against cyberattacks backed by nation-states.

Last month, Yahoo reported its entire user base of 3 billion accounts was compromised in an August 2013 data breach. While the breach had been previously disclosed, the count of victims is triple Yahoo's December 2016 estimate that 1 billion accounts were compromised (see Yahoo: 3 Billion Accounts Breached in 2013).

Meyer stepped down as CEO of Yahoo earlier this year when Verizon Communications bought the social media company in June for $4.5 billion.

Senator Reacts

In response to Mayer's comment, Sen. Bill Nelson, the Florida Democrat and ranking member of the Senate Commerce, Science and Transportation Committee, which held the hearing, said: "That's an admission you are not protected against state actors," prompting the senator to ask what Yahoo is doing about it.

A top executive at Yahoo's new owner, Verizon Communications Chief Privacy Officer Karen Zacharia, said that companies such as hers must adopt technologies and processes to improve security as the threat rapidly evolves. She also said business and government must work together to tackle this problem, including working to enact a national data breach notification law.

Zacharia's answer didn't quite satisfy Nelson. "That's a good intention, but it's going to take more," Nelson said. "It's going to take an attitude change among companies such as yours that we've got to go to extreme limits to protect our customers' privacy."

A few minutes later, Sen. Roger Wicker, R-Miss., asked all of those testifying, including the interim and former CEOs of Equifax, Paulino de Rego Barros Jr. and Richard Smith, as well as Entrust Datacard CEO Todd Wilkinson, if they took issue with Nelson's contention that a "mere company" cannot withstand persistent attacks from state-backed hackers without the help of the National Security Agency. The executives remained mute.

Reluctant Witness

Mayer told the committee that Yahoo learned of a state-sponsored attack on its system in late 2014, and promptly reported it to law enforcement and notified users who were impacted by the hack.

"We now know that Russian intelligence officers and state-sponsored hackers were responsible for highly complex and sophisticated attacks on Yahoo's systems," she said, based on the March 15 indictment charging four individuals in connection with the 2014 hack (see Russian Spies, Two Others, Indicted in Yahoo Hack). So far, no nation-state connection to the much larger 2013 breach has been revealed.

Mayer told the committee that Yahoo fell victim to the breaches despite devoting substantial resources to security in an attempt to stay ahead of sophisticated and constantly evolving threats.

During her tenure as CEO, she said, Yahoo roughly doubled its internal security staff and made significant investments in its leadership and team. Among those hired, she said: security specialists focused on threat investigations, e-crimes, product security, risk management and offensive engineering. The company adopted a comprehensive information security program designed to enhance its policies, procedures and controls based on the National Institute of Standards and Technology's cybersecurity framework, she said.

Shrouded in Mystery

Those remarks prompted Committee Chairman John Thune, R-S.D., to ask Mayer why, despite these investments, Yahoo failed to detect the massive 2013 breach for three years. Mayer answered that such attacks are complex and persistent and the understanding of the facts behind them evolve over time. Indeed, the former CEO said, much of the facts behind the breaches remain shrouded in mystery.

To this day, she said, security experts have been unable to identify the specific intrusions that led to the breaches: "We don't exactly understand how the act was perpetrated."

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.